CWE-352
Cross-Site Request Forgery (CSRF)
Description
The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
Hierarchy (View 1000)
Parents
Children
none
Related attack patterns (CAPEC)
CAPEC-111 · CAPEC-462 · CAPEC-467 · CAPEC-62
CVEs mapped to this weakness (5,713)
page 211 of 286| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2020-2237 | Med | 0.28 | 4.3 | 0.01 | Aug 12, 2020 | A cross-site request forgery (CSRF) vulnerability in Jenkins Flaky Test Handler Plugin 1.0.4 and earlier allows attackers to rebuild a project at a previous git revision. | ||
| CVE-2020-2215 | Med | 0.28 | 4.3 | 0.01 | Jul 2, 2020 | A cross-site request forgery vulnerability in Jenkins Zephyr for JIRA Test Management Plugin 1.5 and earlier allows attackers to connect to an attacker-specified HTTP server using attacker-specified username and password. | ||
| CVE-2020-15400 | — | Med | 0.28 | 4.3 | 0.00 | Jun 30, 2020 | CakePHP before 4.0.6 mishandles CSRF token generation. This might be remotely exploitable in conjunction with XSS. | |
| CVE-2019-16107 | — | Med | 0.28 | 4.3 | 0.00 | Mar 11, 2020 | Missing form token validation in phpBB 3.2.7 allows CSRF in deleting post attachments. | |
| CVE-2020-7210 | — | Med | 0.28 | 4.3 | 0.01 | Jan 23, 2020 | Umbraco CMS 8.2.2 allows CSRF to enable/disable or delete user accounts. | |
| CVE-2020-5397 | Med | 0.28 | 5.3 | 0.02 | Jan 17, 2020 | Spring Framework, versions 5.2.x prior to 5.2.3 are vulnerable to CSRF attacks through CORS preflight requests that target Spring MVC (spring-webmvc module) or Spring WebFlux (spring-webflux module) endpoints. Only non-authenticated endpoints are vulnerable because preflight… | ||
| CVE-2020-5501 | — | Med | 0.28 | 4.3 | 0.00 | Jan 15, 2020 | phpBB 3.2.8 allows a CSRF attack that can modify a group avatar. | |
| CVE-2019-16569 | Med | 0.28 | 4.3 | 0.01 | Dec 17, 2019 | A cross-site request forgery vulnerability in Jenkins Mantis Plugin 0.26 and earlier allows attackers to connect to an attacker-specified web server using attacker-specified credentials. | ||
| CVE-2019-10456 | Med | 0.28 | 4.3 | 0.01 | Oct 16, 2019 | A cross-site request forgery vulnerability in Jenkins Oracle Cloud Infrastructure Compute Classic Plugin allows attackers to connect to an attacker-specified URL using attacker-specified credentials. | ||
| CVE-2019-10408 | Med | 0.28 | 4.3 | 0.01 | Sep 25, 2019 | A cross-site request forgery vulnerability in Jenkins Project Inheritance Plugin 2.0.0 and earlier allowed attackers to trigger project generation from templates. | ||
| CVE-2019-10388 | Med | 0.28 | 4.3 | 0.01 | Aug 7, 2019 | A cross-site request forgery vulnerability in Jenkins Relution Enterprise Appstore Publisher Plugin 1.24 and earlier allows attackers to have Jenkins initiate an HTTP connection to an attacker-specified server. | ||
| CVE-2019-10331 | Med | 0.28 | 4.3 | 0.01 | Jun 11, 2019 | A cross-site request forgery vulnerability in Jenkins ElectricFlow Plugin 1.1.5 and earlier in Configuration#doTestConnection allowed attackers to connect to an attacker-specified URL using attacker-specified credentials. | ||
| CVE-2019-10321 | Med | 0.28 | 4.3 | 0.01 | May 31, 2019 | A cross-site request forgery vulnerability in Jenkins Artifactory Plugin 3.2.2 and earlier in ArtifactoryBuilder.DescriptorImpl#doTestConnection allowed users with Overall/Read access to connect to an attacker-specified URL using attacker-specified credentials IDs obtained… | ||
| CVE-2018-17081 | Med | 0.28 | 4.3 | 0.01 | Sep 26, 2018 | e107 2.1.9 allows CSRF via e107_admin/wmessage.php?mode=&action=inline&ajax_used=1&id= for changing the title of an arbitrary page. | ||
| CVE-2018-15849 | Med | 0.28 | 4.3 | 0.00 | Aug 25, 2018 | An issue was discovered in portfolioCMS 1.0.5. There is CSRF to update the website settings via admin/aboutus.php. | ||
| CVE-2018-1455 | Med | 0.28 | 4.3 | 0.01 | Aug 15, 2018 | IBM Tivoli Application Dependency Discovery Manager 7.2.2 and 7.3 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 11029. | ||
| CVE-2018-1000514 | Med | 0.28 | 4.3 | 0.00 | Jun 26, 2018 | LimeSurvey version 3.0.0-beta.3+17110 contains a Cross ite Request Forgery (CSRF) vulnerability in Boxes that can result in CSRF admins to delete boxes. This vulnerability appears to have been fixed in 3.6.x. | ||
| CVE-2018-1514 | Med | 0.28 | 4.3 | 0.01 | Jun 7, 2018 | IBM Robotic Process Automation with Automation Anywhere 10.0 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 141622. | ||
| CVE-2017-2613 | — | Med | 0.28 | 5.4 | 0.02 | May 15, 2018 | jenkins before versions 2.44, 2.32.2 is vulnerable to a user creation CSRF using GET by admins. While this user record was only retained until restart in most cases, administrators' web browsers could be manipulated to create a large number of user records (SECURITY-406). | |
| CVE-2018-1442 | Med | 0.28 | 4.3 | 0.01 | Mar 8, 2018 | IBM Application Performance Management - Response Time Monitoring Agent (IBM Monitoring 8.1.4) is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID:… |
- risk 0.28cvss 4.3epss 0.01
A cross-site request forgery (CSRF) vulnerability in Jenkins Flaky Test Handler Plugin 1.0.4 and earlier allows attackers to rebuild a project at a previous git revision.
- risk 0.28cvss 4.3epss 0.01
A cross-site request forgery vulnerability in Jenkins Zephyr for JIRA Test Management Plugin 1.5 and earlier allows attackers to connect to an attacker-specified HTTP server using attacker-specified username and password.
- risk 0.28cvss 4.3epss 0.00
CakePHP before 4.0.6 mishandles CSRF token generation. This might be remotely exploitable in conjunction with XSS.
- risk 0.28cvss 4.3epss 0.00
Missing form token validation in phpBB 3.2.7 allows CSRF in deleting post attachments.
- risk 0.28cvss 4.3epss 0.01
Umbraco CMS 8.2.2 allows CSRF to enable/disable or delete user accounts.
- risk 0.28cvss 5.3epss 0.02
Spring Framework, versions 5.2.x prior to 5.2.3 are vulnerable to CSRF attacks through CORS preflight requests that target Spring MVC (spring-webmvc module) or Spring WebFlux (spring-webflux module) endpoints. Only non-authenticated endpoints are vulnerable because preflight…
- risk 0.28cvss 4.3epss 0.00
phpBB 3.2.8 allows a CSRF attack that can modify a group avatar.
- risk 0.28cvss 4.3epss 0.01
A cross-site request forgery vulnerability in Jenkins Mantis Plugin 0.26 and earlier allows attackers to connect to an attacker-specified web server using attacker-specified credentials.
- risk 0.28cvss 4.3epss 0.01
A cross-site request forgery vulnerability in Jenkins Oracle Cloud Infrastructure Compute Classic Plugin allows attackers to connect to an attacker-specified URL using attacker-specified credentials.
- risk 0.28cvss 4.3epss 0.01
A cross-site request forgery vulnerability in Jenkins Project Inheritance Plugin 2.0.0 and earlier allowed attackers to trigger project generation from templates.
- risk 0.28cvss 4.3epss 0.01
A cross-site request forgery vulnerability in Jenkins Relution Enterprise Appstore Publisher Plugin 1.24 and earlier allows attackers to have Jenkins initiate an HTTP connection to an attacker-specified server.
- risk 0.28cvss 4.3epss 0.01
A cross-site request forgery vulnerability in Jenkins ElectricFlow Plugin 1.1.5 and earlier in Configuration#doTestConnection allowed attackers to connect to an attacker-specified URL using attacker-specified credentials.
- risk 0.28cvss 4.3epss 0.01
A cross-site request forgery vulnerability in Jenkins Artifactory Plugin 3.2.2 and earlier in ArtifactoryBuilder.DescriptorImpl#doTestConnection allowed users with Overall/Read access to connect to an attacker-specified URL using attacker-specified credentials IDs obtained…
- risk 0.28cvss 4.3epss 0.01
e107 2.1.9 allows CSRF via e107_admin/wmessage.php?mode=&action=inline&ajax_used=1&id= for changing the title of an arbitrary page.
- risk 0.28cvss 4.3epss 0.00
An issue was discovered in portfolioCMS 1.0.5. There is CSRF to update the website settings via admin/aboutus.php.
- risk 0.28cvss 4.3epss 0.01
IBM Tivoli Application Dependency Discovery Manager 7.2.2 and 7.3 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 11029.
- risk 0.28cvss 4.3epss 0.00
LimeSurvey version 3.0.0-beta.3+17110 contains a Cross ite Request Forgery (CSRF) vulnerability in Boxes that can result in CSRF admins to delete boxes. This vulnerability appears to have been fixed in 3.6.x.
- risk 0.28cvss 4.3epss 0.01
IBM Robotic Process Automation with Automation Anywhere 10.0 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 141622.
- risk 0.28cvss 5.4epss 0.02
jenkins before versions 2.44, 2.32.2 is vulnerable to a user creation CSRF using GET by admins. While this user record was only retained until restart in most cases, administrators' web browsers could be manipulated to create a large number of user records (SECURITY-406).
- risk 0.28cvss 4.3epss 0.01
IBM Application Performance Management - Response Time Monitoring Agent (IBM Monitoring 8.1.4) is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID:…